6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

Analysis

max time kernel
167s
max time network
196s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe
Size

192KB
MD5

43d7bcb215e8a89ddeb3cb42bade9380
SHA1

edd3f8ceb1aa19ac14105dc0810f045c693feb3c
SHA256

6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e
SHA512

6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200
SSDEEP

1536:xsJlOGa8LMKJJlgENcWV7E4syJ9gzZ4k0HfijBh6yRMML/rEfh:xsJlOGa8bJl3VsyJKzA2BEYIfh

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 19 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

SVIQ.EXEFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exe6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exeFun.exeFun.exeFun.exedc.exeFun.exeFun.exeFun.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	SVIQ.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	dc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\system32\\WinSit.exe"	Fun.exe

Executes dropped EXE 39 IoCs

Processes:

Fun.exeSVIQ.EXEdc.exeFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeFun.exeFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeFun.exeFun.exeFun.exeSVIQ.EXEFun.exeFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXE

pid	process
936	Fun.exe
468	SVIQ.EXE
532	dc.exe
1428	Fun.exe
328	SVIQ.EXE
684	Fun.exe
536	SVIQ.EXE
1816	Fun.exe
1540	SVIQ.EXE
1692	Fun.exe
1104	SVIQ.EXE
1592	Fun.exe
924	SVIQ.EXE
1300	Fun.exe
892	Fun.exe
1804	Fun.exe
1808	SVIQ.EXE
1816	Fun.exe
1956	SVIQ.EXE
1204	Fun.exe
1504	SVIQ.EXE
1704	Fun.exe
1760	SVIQ.EXE
1896	Fun.exe
1572	Fun.exe
1612	Fun.exe
1116	Fun.exe
568	SVIQ.EXE
1600	Fun.exe
1620	Fun.exe
1180	SVIQ.EXE
684	Fun.exe
1900	SVIQ.EXE
916	Fun.exe
672	SVIQ.EXE
1220	Fun.exe
1184	SVIQ.EXE
568	Fun.exe
924	SVIQ.EXE

Loads dropped DLL 64 IoCs

Processes:

6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exeFun.exeSVIQ.EXEFun.exedc.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exe

pid	process
1888	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe
936	Fun.exe
936	Fun.exe
936	Fun.exe
468	SVIQ.EXE
1428	Fun.exe
1428	Fun.exe
1428	Fun.exe
532	dc.exe
684	Fun.exe
684	Fun.exe
684	Fun.exe
468	SVIQ.EXE
1816	Fun.exe
1816	Fun.exe
1816	Fun.exe
532	dc.exe
1692	Fun.exe
1692	Fun.exe
1692	Fun.exe
468	SVIQ.EXE
1592	Fun.exe
1592	Fun.exe
1592	Fun.exe
532	dc.exe
468	SVIQ.EXE
892	Fun.exe
892	Fun.exe
892	Fun.exe
1300	Fun.exe
1300	Fun.exe
1300	Fun.exe
468	SVIQ.EXE
1804	Fun.exe
1804	Fun.exe
1804	Fun.exe
532	dc.exe
1816	Fun.exe
1816	Fun.exe
1816	Fun.exe
468	SVIQ.EXE
1204	Fun.exe
1204	Fun.exe
1204	Fun.exe
532	dc.exe
1704	Fun.exe
1704	Fun.exe
1704	Fun.exe
468	SVIQ.EXE
532	dc.exe
1896	Fun.exe
1896	Fun.exe
1572	Fun.exe
1896	Fun.exe
1572	Fun.exe
1572	Fun.exe
532	dc.exe
468	SVIQ.EXE
1612	Fun.exe
1612	Fun.exe
1612	Fun.exe
1116	Fun.exe
1116	Fun.exe
1116	Fun.exe

Adds Run key to start application 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Fun.exeFun.exeFun.exeFun.exedc.exeFun.exeFun.exeFun.exeFun.exeFun.exe6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exeFun.exeFun.exeFun.exeFun.exeFun.exeSVIQ.EXEFun.exeFun.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	SVIQ.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	SVIQ.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	SVIQ.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	dc.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc = "C:\\Windows\\dc.exe"	SVIQ.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fun = "C:\\Windows\\system\\Fun.exe"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\dc2k5 = "C:\\Windows\\SVIQ.EXE"	Fun.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run	Fun.exe

Drops file in System32 directory 40 IoCs

Processes:

6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeSVIQ.EXEdc.exeFun.exeFun.exeFun.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File created	C:\Windows\SysWOW64\WinSit.exe	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File created	C:\Windows\SysWOW64\config\Win.exe	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	SVIQ.EXE
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	SVIQ.EXE
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	dc.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	dc.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\WinSit.exe	Fun.exe
File opened for modification	C:\Windows\SysWOW64\config\Win.exe	Fun.exe

Drops file in Windows directory 64 IoCs

Processes:

Fun.exedc.exeFun.exeFun.exeSVIQ.EXEFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exeFun.exe6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exeFun.exeFun.exeFun.exeFun.exe

description	ioc	process
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	dc.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	SVIQ.EXE
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File opened for modification	C:\Windows\wininit.ini	SVIQ.EXE
File opened for modification	C:\Windows\inf\Other.exe	dc.exe
File opened for modification	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File opened for modification	C:\Windows\SVIQ.EXE	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe
File opened for modification	C:\Windows\wininit.ini	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\dc.exe	dc.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File opened for modification	C:\Windows\system\Fun.exe	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\dc.exe	Fun.exe
File created	C:\Windows\dc.exe	dc.exe
File opened for modification	C:\Windows\inf\Other.exe	Fun.exe
File created	C:\Windows\system\Fun.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\wininit.ini	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe
File created	C:\Windows\SVIQ.EXE	Fun.exe
File opened for modification	C:\Windows\Help\Other.exe	Fun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exeFun.exeSVIQ.EXEdc.exe

pid	process
1888	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe
1888	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe
936	Fun.exe
468	SVIQ.EXE
532	dc.exe
468	SVIQ.EXE
936	Fun.exe
532	dc.exe
468	SVIQ.EXE
1888	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe
532	dc.exe
936	Fun.exe
468	SVIQ.EXE
532	dc.exe
936	Fun.exe
468	SVIQ.EXE
532	dc.exe
936	Fun.exe
468	SVIQ.EXE
532	dc.exe
936	Fun.exe
468	SVIQ.EXE
532	dc.exe
936	Fun.exe
468	SVIQ.EXE
532	dc.exe
936	Fun.exe
468	SVIQ.EXE
532	dc.exe
936	Fun.exe
468	SVIQ.EXE
532	dc.exe
936	Fun.exe
468	SVIQ.EXE
936	Fun.exe
532	dc.exe
468	SVIQ.EXE
532	dc.exe
936	Fun.exe
468	SVIQ.EXE
532	dc.exe
936	Fun.exe
468	SVIQ.EXE
532	dc.exe
936	Fun.exe
468	SVIQ.EXE
532	dc.exe
936	Fun.exe
468	SVIQ.EXE
532	dc.exe
936	Fun.exe
468	SVIQ.EXE
532	dc.exe
936	Fun.exe
468	SVIQ.EXE
532	dc.exe
468	SVIQ.EXE
532	dc.exe
468	SVIQ.EXE
532	dc.exe
468	SVIQ.EXE
532	dc.exe
468	SVIQ.EXE
532	dc.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exeFun.exeSVIQ.EXEdc.exeFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeFun.exeFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeSVIQ.EXEFun.exeFun.exeFun.exeFun.exeSVIQ.EXEFun.exeFun.exeSVIQ.EXE

pid	process
1888	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe
1888	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe
936	Fun.exe
936	Fun.exe
468	SVIQ.EXE
468	SVIQ.EXE
532	dc.exe
532	dc.exe
1428	Fun.exe
1428	Fun.exe
328	SVIQ.EXE
328	SVIQ.EXE
684	Fun.exe
684	Fun.exe
536	SVIQ.EXE
536	SVIQ.EXE
1816	Fun.exe
1816	Fun.exe
1540	SVIQ.EXE
1540	SVIQ.EXE
1692	Fun.exe
1692	Fun.exe
1104	SVIQ.EXE
1104	SVIQ.EXE
1592	Fun.exe
1592	Fun.exe
924	SVIQ.EXE
924	SVIQ.EXE
1300	Fun.exe
892	Fun.exe
1300	Fun.exe
892	Fun.exe
1804	Fun.exe
1804	Fun.exe
1808	SVIQ.EXE
1808	SVIQ.EXE
1816	Fun.exe
1816	Fun.exe
1956	SVIQ.EXE
1956	SVIQ.EXE
1204	Fun.exe
1204	Fun.exe
1504	SVIQ.EXE
1504	SVIQ.EXE
1704	Fun.exe
1704	Fun.exe
1760	SVIQ.EXE
1760	SVIQ.EXE
1572	Fun.exe
1896	Fun.exe
1896	Fun.exe
1572	Fun.exe
1612	Fun.exe
1116	Fun.exe
1612	Fun.exe
1116	Fun.exe
568	SVIQ.EXE
1620	Fun.exe
1600	Fun.exe
1620	Fun.exe
568	SVIQ.EXE
1600	Fun.exe
1180	SVIQ.EXE
1180	SVIQ.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exeFun.exeSVIQ.EXEFun.exedc.exeFun.exeFun.exe

description	pid	process	target process
PID 1888 wrote to memory of 936	1888	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe	Fun.exe
PID 1888 wrote to memory of 936	1888	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe	Fun.exe
PID 1888 wrote to memory of 936	1888	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe	Fun.exe
PID 1888 wrote to memory of 936	1888	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe	Fun.exe
PID 1888 wrote to memory of 936	1888	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe	Fun.exe
PID 1888 wrote to memory of 936	1888	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe	Fun.exe
PID 1888 wrote to memory of 936	1888	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe	Fun.exe
PID 936 wrote to memory of 468	936	Fun.exe	SVIQ.EXE
PID 936 wrote to memory of 468	936	Fun.exe	SVIQ.EXE
PID 936 wrote to memory of 468	936	Fun.exe	SVIQ.EXE
PID 936 wrote to memory of 468	936	Fun.exe	SVIQ.EXE
PID 936 wrote to memory of 468	936	Fun.exe	SVIQ.EXE
PID 936 wrote to memory of 468	936	Fun.exe	SVIQ.EXE
PID 936 wrote to memory of 468	936	Fun.exe	SVIQ.EXE
PID 1888 wrote to memory of 532	1888	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe	dc.exe
PID 1888 wrote to memory of 532	1888	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe	dc.exe
PID 1888 wrote to memory of 532	1888	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe	dc.exe
PID 1888 wrote to memory of 532	1888	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe	dc.exe
PID 1888 wrote to memory of 532	1888	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe	dc.exe
PID 1888 wrote to memory of 532	1888	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe	dc.exe
PID 1888 wrote to memory of 532	1888	6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe	dc.exe
PID 468 wrote to memory of 1428	468	SVIQ.EXE	Fun.exe
PID 468 wrote to memory of 1428	468	SVIQ.EXE	Fun.exe
PID 468 wrote to memory of 1428	468	SVIQ.EXE	Fun.exe
PID 468 wrote to memory of 1428	468	SVIQ.EXE	Fun.exe
PID 468 wrote to memory of 1428	468	SVIQ.EXE	Fun.exe
PID 468 wrote to memory of 1428	468	SVIQ.EXE	Fun.exe
PID 468 wrote to memory of 1428	468	SVIQ.EXE	Fun.exe
PID 1428 wrote to memory of 328	1428	Fun.exe	SVIQ.EXE
PID 1428 wrote to memory of 328	1428	Fun.exe	SVIQ.EXE
PID 1428 wrote to memory of 328	1428	Fun.exe	SVIQ.EXE
PID 1428 wrote to memory of 328	1428	Fun.exe	SVIQ.EXE
PID 1428 wrote to memory of 328	1428	Fun.exe	SVIQ.EXE
PID 1428 wrote to memory of 328	1428	Fun.exe	SVIQ.EXE
PID 1428 wrote to memory of 328	1428	Fun.exe	SVIQ.EXE
PID 532 wrote to memory of 684	532	dc.exe	Fun.exe
PID 532 wrote to memory of 684	532	dc.exe	Fun.exe
PID 532 wrote to memory of 684	532	dc.exe	Fun.exe
PID 532 wrote to memory of 684	532	dc.exe	Fun.exe
PID 532 wrote to memory of 684	532	dc.exe	Fun.exe
PID 532 wrote to memory of 684	532	dc.exe	Fun.exe
PID 532 wrote to memory of 684	532	dc.exe	Fun.exe
PID 684 wrote to memory of 536	684	Fun.exe	SVIQ.EXE
PID 684 wrote to memory of 536	684	Fun.exe	SVIQ.EXE
PID 684 wrote to memory of 536	684	Fun.exe	SVIQ.EXE
PID 684 wrote to memory of 536	684	Fun.exe	SVIQ.EXE
PID 684 wrote to memory of 536	684	Fun.exe	SVIQ.EXE
PID 684 wrote to memory of 536	684	Fun.exe	SVIQ.EXE
PID 684 wrote to memory of 536	684	Fun.exe	SVIQ.EXE
PID 468 wrote to memory of 1816	468	SVIQ.EXE	Fun.exe
PID 468 wrote to memory of 1816	468	SVIQ.EXE	Fun.exe
PID 468 wrote to memory of 1816	468	SVIQ.EXE	Fun.exe
PID 468 wrote to memory of 1816	468	SVIQ.EXE	Fun.exe
PID 468 wrote to memory of 1816	468	SVIQ.EXE	Fun.exe
PID 468 wrote to memory of 1816	468	SVIQ.EXE	Fun.exe
PID 468 wrote to memory of 1816	468	SVIQ.EXE	Fun.exe
PID 1816 wrote to memory of 1540	1816	Fun.exe	SVIQ.EXE
PID 1816 wrote to memory of 1540	1816	Fun.exe	SVIQ.EXE
PID 1816 wrote to memory of 1540	1816	Fun.exe	SVIQ.EXE
PID 1816 wrote to memory of 1540	1816	Fun.exe	SVIQ.EXE
PID 1816 wrote to memory of 1540	1816	Fun.exe	SVIQ.EXE
PID 1816 wrote to memory of 1540	1816	Fun.exe	SVIQ.EXE
PID 1816 wrote to memory of 1540	1816	Fun.exe	SVIQ.EXE
PID 532 wrote to memory of 1692	532	dc.exe	Fun.exe

C:\Users\Admin\AppData\Local\Temp\6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe
"C:\Users\Admin\AppData\Local\Temp\6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:328

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1592

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:924

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1300

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1804

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1204

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1504

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1896

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1116

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:568

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1620

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:684

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
PID:1900

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:1220

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
5⤵
- Executes dropped EXE
PID:1184

C:\Windows\dc.exe
C:\Windows\dc.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:536

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1692

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1104

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:892

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1816

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1704

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1760

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1572

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1612

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1600

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1180

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:916

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
4⤵
- Executes dropped EXE
PID:672

C:\Windows\system\Fun.exe
C:\Windows\system\Fun.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:568

C:\Windows\SVIQ.EXE
C:\Windows\SVIQ.EXE
4⤵
- Executes dropped EXE
PID:924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Help\Other.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\Help\Other.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\Help\Other.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\Help\Other.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\Help\Other.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\Help\Other.exe
Filesize
63KB

MD5
bbd7c196f0a6f079ca4239b796e8aec6

SHA1
0ceca98382c1f64b4bf689cf13a964b7a5c212d2

SHA256
ccd04250076cb72f3b174954aab7bb56013ceeba10792f735767f437104b5c36

SHA512
c279a245682bf2bd3d5d3fcbd4be5d277c84caa122bee6a7f186f5daacd870c0391fffb2f8a9051ceaf3bc4c37376c4f57bbd24835a4a747e8c63ed13932143d

Download Submit
C:\Windows\SVIQ.EXE
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\SVIQ.EXE
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\SVIQ.EXE
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\SVIQ.EXE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SVIQ.EXE
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\SVIQ.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\SysWOW64\WinSit.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\SysWOW64\WinSit.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\SysWOW64\WinSit.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\SysWOW64\WinSit.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\SysWOW64\WinSit.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\SysWOW64\WinSit.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\SysWOW64\config\Win.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\SysWOW64\config\Win.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\SysWOW64\config\Win.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\SysWOW64\config\Win.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\SysWOW64\config\Win.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\SysWOW64\config\Win.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\dc.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\dc.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\dc.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\dc.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\inf\Other.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\inf\Other.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\inf\Other.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\inf\Other.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\inf\Other.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\inf\Other.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\system\Fun.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\system\Fun.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\system\Fun.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\system\Fun.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\system\Fun.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\system\Fun.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
C:\Windows\wininit.ini
Filesize
41B

MD5
e839977c0d22c9aa497b0b1d90d8a372

SHA1
b5048e501399138796b38f3d3666e1a88c397e83

SHA256
478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

SHA512
4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

Download Submit
C:\Windows\wininit.ini
Filesize
41B

MD5
e839977c0d22c9aa497b0b1d90d8a372

SHA1
b5048e501399138796b38f3d3666e1a88c397e83

SHA256
478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

SHA512
4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

Download Submit
C:\Windows\wininit.ini
Filesize
41B

MD5
e839977c0d22c9aa497b0b1d90d8a372

SHA1
b5048e501399138796b38f3d3666e1a88c397e83

SHA256
478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

SHA512
4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

Download Submit
C:\Windows\wininit.ini
Filesize
41B

MD5
e839977c0d22c9aa497b0b1d90d8a372

SHA1
b5048e501399138796b38f3d3666e1a88c397e83

SHA256
478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

SHA512
4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

Download Submit
C:\Windows\wininit.ini
Filesize
41B

MD5
e839977c0d22c9aa497b0b1d90d8a372

SHA1
b5048e501399138796b38f3d3666e1a88c397e83

SHA256
478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

SHA512
4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

Download Submit
C:\Windows\wininit.ini
Filesize
41B

MD5
e839977c0d22c9aa497b0b1d90d8a372

SHA1
b5048e501399138796b38f3d3666e1a88c397e83

SHA256
478db7f82fd7ef4860f7acd2f534ec303175500d7f4e1e36161d31c900d234e2

SHA512
4c8ba5a26b6f738f8d25c32d019cee63e9a32d28e3aeb8fe31b965d7603c24a3539e469c8eb569747b47dadc9c43cdd1066ddb37ed8138bee5d0c74b5d0c275d

Download Submit
\Windows\system\Fun.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
\Windows\system\Fun.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
\Windows\system\Fun.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
\Windows\system\Fun.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
\Windows\system\Fun.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
\Windows\system\Fun.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
\Windows\system\Fun.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
\Windows\system\Fun.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
\Windows\system\Fun.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
\Windows\system\Fun.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
\Windows\system\Fun.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
\Windows\system\Fun.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
\Windows\system\Fun.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
\Windows\system\Fun.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
\Windows\system\Fun.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
\Windows\system\Fun.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
\Windows\system\Fun.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
\Windows\system\Fun.exe
Filesize
192KB

MD5
43d7bcb215e8a89ddeb3cb42bade9380

SHA1
edd3f8ceb1aa19ac14105dc0810f045c693feb3c

SHA256
6103f030b0bae2cdbe5a7fd79fb5cf035962eda5406af7fe29aa967a82d1419e

SHA512
6f0e9bafa674f9dfcff192f2713745ffd6cb2e8974ded277541882b096b4f32d2554bfe67c854c97b3dd46616c7430992d2f91e7b0e085d725ed4a79e1b0c200

Download Submit
memory/328-132-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/328-127-0x0000000000000000-mapping.dmp

Download
memory/468-219-0x0000000001C80000-0x0000000001CAB000-memory.dmp

Filesize
172KB

Download
memory/468-285-0x0000000001C80000-0x0000000001CAB000-memory.dmp

Filesize
172KB

Download
memory/468-314-0x0000000001CC0000-0x0000000001CEB000-memory.dmp

Filesize
172KB

Download
memory/468-104-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/468-116-0x0000000001C80000-0x0000000001CAB000-memory.dmp

Filesize
172KB

Download
memory/468-80-0x0000000000000000-mapping.dmp

Download
memory/468-200-0x0000000001C80000-0x0000000001CAB000-memory.dmp

Filesize
172KB

Download
memory/532-247-0x00000000002B0000-0x00000000002DB000-memory.dmp

Filesize
172KB

Download
memory/532-294-0x00000000002B0000-0x00000000002DB000-memory.dmp

Filesize
172KB

Download
memory/532-105-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/532-157-0x00000000002B0000-0x00000000002DB000-memory.dmp

Filesize
172KB

Download
memory/532-218-0x00000000002B0000-0x00000000002DB000-memory.dmp

Filesize
172KB

Download
memory/532-267-0x00000000002B0000-0x00000000002DB000-memory.dmp

Filesize
172KB

Download
memory/532-313-0x00000000002B0000-0x00000000002DB000-memory.dmp

Filesize
172KB

Download
memory/532-93-0x0000000000000000-mapping.dmp

Download
memory/536-155-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/536-150-0x0000000000000000-mapping.dmp

Download
memory/568-367-0x0000000000000000-mapping.dmp

Download
memory/568-304-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/568-300-0x0000000000000000-mapping.dmp

Download
memory/672-347-0x0000000000000000-mapping.dmp

Download
memory/684-156-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/684-329-0x0000000000000000-mapping.dmp

Download
memory/684-136-0x0000000000000000-mapping.dmp

Download
memory/892-211-0x0000000000000000-mapping.dmp

Download
memory/892-224-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/892-221-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/916-342-0x0000000000000000-mapping.dmp

Download
memory/924-203-0x0000000000000000-mapping.dmp

Download
memory/924-372-0x0000000000000000-mapping.dmp

Download
memory/924-208-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/936-79-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/936-108-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/936-103-0x00000000002D0000-0x00000000002FB000-memory.dmp

Filesize
172KB

Download
memory/936-61-0x0000000000000000-mapping.dmp

Download
memory/1104-190-0x0000000000000000-mapping.dmp

Download
memory/1104-194-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1116-296-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1116-287-0x0000000000000000-mapping.dmp

Download
memory/1116-303-0x00000000003D0000-0x00000000003FB000-memory.dmp

Filesize
172KB

Download
memory/1180-321-0x0000000000000000-mapping.dmp

Download
memory/1180-325-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1180-327-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1184-361-0x0000000000000000-mapping.dmp

Download
memory/1204-258-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1204-248-0x0000000000000000-mapping.dmp

Download
memory/1220-356-0x0000000000000000-mapping.dmp

Download
memory/1300-210-0x0000000000000000-mapping.dmp

Download
memory/1300-220-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1300-225-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1428-117-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1428-119-0x0000000000230000-0x000000000025B000-memory.dmp

Filesize
172KB

Download
memory/1428-110-0x0000000000000000-mapping.dmp

Download
memory/1428-133-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1428-134-0x0000000000330000-0x0000000000332000-memory.dmp

Filesize
8KB

Download
memory/1504-257-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1504-253-0x0000000000000000-mapping.dmp

Download
memory/1540-173-0x0000000000000000-mapping.dmp

Download
memory/1540-178-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1572-283-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1572-274-0x0000000000000000-mapping.dmp

Download
memory/1592-209-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1592-204-0x00000000003C0000-0x00000000003EB000-memory.dmp

Filesize
172KB

Download
memory/1592-196-0x0000000000000000-mapping.dmp

Download
memory/1592-201-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1600-315-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1600-305-0x0000000000000000-mapping.dmp

Download
memory/1600-324-0x0000000000960000-0x000000000098B000-memory.dmp

Filesize
172KB

Download
memory/1612-295-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1612-298-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1612-286-0x0000000000000000-mapping.dmp

Download
memory/1620-306-0x0000000000000000-mapping.dmp

Download
memory/1620-316-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1620-319-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1692-195-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1692-183-0x0000000000000000-mapping.dmp

Download
memory/1704-268-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1704-272-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1704-259-0x0000000000000000-mapping.dmp

Download
memory/1760-264-0x0000000000000000-mapping.dmp

Download
memory/1760-269-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1760-271-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1804-235-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1804-226-0x0000000000000000-mapping.dmp

Download
memory/1808-231-0x0000000000000000-mapping.dmp

Download
memory/1816-180-0x00000000003A0000-0x00000000003CB000-memory.dmp

Filesize
172KB

Download
memory/1816-179-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1816-181-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1816-246-0x00000000002C0000-0x00000000002EB000-memory.dmp

Filesize
172KB

Download
memory/1816-236-0x0000000000000000-mapping.dmp

Download
memory/1816-159-0x0000000000000000-mapping.dmp

Download
memory/1888-59-0x0000000000230000-0x000000000025B000-memory.dmp

Filesize
172KB

Download
memory/1888-78-0x0000000000390000-0x00000000003BB000-memory.dmp

Filesize
172KB

Download
memory/1888-106-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1888-107-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download
memory/1888-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1888-58-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1896-284-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1896-273-0x0000000000000000-mapping.dmp

Download
memory/1900-337-0x0000000000000000-mapping.dmp

Download
memory/1956-241-0x0000000000000000-mapping.dmp

Download
memory/1956-245-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download